Thycotic’s Cyber Security Publication

April 28th, 2016

Remember the hackers that stole more than $80 million from Bangladesh Bank back in February?

According to a new Reuters report, not only did they get away with a large amount of money, they may have also hacked the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an organization which provides a network that enables financial institutions to exchange information about financial transaction details. Investigators researching the recent Bangladesh Bank heist previously said the still-unidentified hackers had broken into computers and took control of credentials that were used to log into the SWIFT system. But it appears that the SWIFT software on the bank computers was probably compromised in order to erase records of illegal transfers.

So why is this a big deal?

According to reports, the SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software. Exploiting privileged accounts is a critical stage of an attack lifecycle – and that is what appears to have happened when the SWIFT Software was compromised – resulting in an $81 million loss to the bank.

Today’s typical, advanced cyber-attacks are normally designed to evade traditional threat prevention technologies that are focused on protecting the perimeter from outside breach. Once inside a network, many of these modern attacks follow a common lifecycle. Attackers usually attempt to advance from the initial breach, escalating their privileges and moving laterally through the system to identify and access valuable targets and confidential information so they can access their target systems and information.

Once an attacker has hijacked the privileged credentials of an authorized user, its activities blend in with legitimate traffic and is therefore much more difficult to detect. Attackers can therefore operate undetected inside an organization for long periods of time.

More than likely, this is how this particular breach happened:

Perimeter compromise. Attackers gain entry into a corporate network through multiple attack vectors including email, web and endpoints. Attackers have become highly sophisticated and are increasingly finding ways to evade traditional network perimeter threat detection technologies. In most cases, immediately after the initial compromise, attackers download malware tools and establish a connection to a command-and-control server to enable ongoing control.

Escalate privileges. External attackers, after the initial compromise, target privileged accounts to facilitate the future stages of the attack. Through a variety of tactics, attackers attempt to gain possession of the credentials used to access privileged accounts. Privilege escalation appears to have been the critical stage of the attack, because if privileged credentials are compromised, the attacker is able to move closer to sensitive data while remaining undetected.

Reconnaissance and lateral movement. Once armed with privileged credentials, attackers may conduct stealth reconnaissance across the network to locate other vulnerable systems, and then spread laterally across the network in search of target data and systems. As the attacker identifies an additional interesting target, it may again need to escalate its privileges to gain access to the newly identified system and then continue its reconnaissance.

Data exfiltration. The final stage of an attack lifecycle is typically to exfiltrate the desired information from the target’s corporate network to a location that the attacker controls. Once the target information has been gathered in a staging area and is ready for exfiltration, the attacker can use its privileged access to bypass controls and monitoring technologies designed to prevent or detect exfiltration.

Clearly, there needs to be a solution put in place to protect organizations in the future from a similar incident. A Privileged Account Security Solution will provide organizations with the following capabilities that could be a critical part of solution:

Comprehensive platform for proactive protection of privileged credentials and target assets from cyber-attacks. A solution for privileged account security enables to proactively protect against and automatically detect and respond to in-progress cyber-attacks before they strike vital systems and compromise sensitive data.

Automatic identification and understanding of the scope of privileged account risk. A PAM solution automatically detects privileged accounts across the enterprise and helps customers visualize the resulting compliance gaps and security vulnerabilities. This automated process reduces the time-consuming and error-prone task of manually tracking and updating privileged credentials, thereby decreasing IT operational costs. This enhanced visibility significantly improves the security posture of our customers and facilitates adherence to rigorous audit and compliance standards.

Continuous monitoring, recording and secure storage of privileged account activity. A PAM solution monitors, collects and records individual privileged session activity down to every mouse click and keystroke. It also provides highly secure storage of privileged session recordings and robust search capabilities allowing organizations to meet their audit and compliance requirements. Session recordings also provide a full forensics record of privileged activity to facilitate a more rapid and precise response to malicious activity.

Organizations have invested heavily in security products to protect their IT infrastructure and valuable information. According to IDC, worldwide spending on IT security products is expected to grow from $32.0 billion in 2013 to $42.0 billion by 2017. Historically, the majority of this spending has been focused on perimeter threat protection products such as firewalls, network and web security.

While prevention of the initial breach is an important layer of an enterprise security strategy, at Thycotic, we do not believe that perimeter-based threat protection alone is sufficient to protect against today’s increasingly sophisticated and targeted external security threats.

Despite significant investments in perimeter-based threat protection solutions, most enterprises are still being breached. Therefore, we believe that in the future, a greater portion of the overall spend must be dedicated to security solutions focused on the inside of the enterprise.

Jim Legg

Jim has amassed over 25 years of managerial and sales experience in guiding technology companies to accelerated, sustained growth. Most recently, he served as EVP and GM of Unitrends, Inc., after serving as CEO of PHD Virtual, acquired by Unitrends in 2013. Previously, he served as VP of worldwide sales for Idera Corporation, and was VP of sales at NetIQ Corporation, having come there via the acquisition of PentaSafe Security Technologies, a remote access, vulnerability assessment and intrusion detection solution provider. Legg's experience with rapidly growing technology companies dates back to his days at Peregrine Systems where he was a member of the management team that helped launch the company's IPO. Today, Jim serves as Thycotic’s CEO and is responsible for the day-to-day operations, propelling Thycotic to the next level in its evolution as the premier provider of privileged account management solutions for the enterprise.